CVE-2024-26614

CVE Details

Release Date:2024-02-29

Description


In the Linux kernel, the following vulnerability has been resolved:\ntcp: make sure init the accept_queue's spinlocks once\nWhen I run syz's reproduction C program locally, it causes the following\nissue:\npvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!\nWARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nRIP: 0010:__pv_queued_spin_unlock_slowpath (kernel/locking/qspinlock_paravirt.h:508)\nCode: 73 56 3a ff 90 c3 cc cc cc cc 8b 05 bb 1f 48 01 85 c0 74 05 c3 cc cc cc cc 8b 17 48 89 fe 48 c7 c7\n30 20 ce 8f e8 ad 56 42 ff <0f> 0b c3 cc cc cc cc 0f 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90\nRSP: 0018:ffffa8d200604cb8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9d1ef60e0908\nRDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9d1ef60e0900\nRBP: ffff9d181cd5c280 R08: 0000000000000000 R09: 00000000ffff7fff\nR10: ffffa8d200604b68 R11: ffffffff907dcdc8 R12: 0000000000000000\nR13: ffff9d181cd5c660 R14: ffff9d1813a3f330 R15: 0000000000001000\nFS: 00007fa110184640(0000) GS:ffff9d1ef60c0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000000 CR3: 000000011f65e000 CR4: 00000000000006f0\nCall Trace:\n\n_raw_spin_unlock (kernel/locking/spinlock.c:186)\ninet_csk_reqsk_queue_add (net/ipv4/inet_connection_sock.c:1321)\ninet_csk_complete_hashdance (net/ipv4/inet_connection_sock.c:1358)\ntcp_check_req (net/ipv4/tcp_minisocks.c:868)\ntcp_v4_rcv (net/ipv4/tcp_ipv4.c:2260)\nip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)\nip_local_deliver_finish (net/ipv4/ip_input.c:234)\n__netif_receive_skb_one_core (net/core/dev.c:5529)\nprocess_backlog (./include/linux/rcupdate.h:779)\n__napi_poll (net/core/dev.c:6533)\nnet_rx_action (net/core/dev.c:6604)\n__do_softirq (./arch/x86/include/asm/jump_label.h:27)\ndo_softirq (kernel/softirq.c:454 kernel/softirq.c:441)\n\n\n__local_bh_enable_ip (kernel/softirq.c:381)\n__dev_queue_xmit (net/core/dev.c:4374)\nip_finish_output2 (./include/net/neighbour.h:540 net/ipv4/ip_output.c:235)\n__ip_queue_xmit (net/ipv4/ip_output.c:535)\n__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)\ntcp_rcv_synsent_state_process (net/ipv4/tcp_input.c:6469)\ntcp_rcv_state_process (net/ipv4/tcp_input.c:6657)\ntcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1929)\n__release_sock (./include/net/sock.h:1121 net/core/sock.c:2968)\nrelease_sock (net/core/sock.c:3536)\ninet_wait_for_connect (net/ipv4/af_inet.c:609)\n__inet_stream_connect (net/ipv4/af_inet.c:702)\ninet_stream_connect (net/ipv4/af_inet.c:748)\n__sys_connect (./include/linux/file.h:45 net/socket.c:2064)\n__x64_sys_connect (net/socket.c:2073 net/socket.c:2070 net/socket.c:2070)\ndo_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:82)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7fa10ff05a3d\nCode: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89\nc2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ab a3 0e 00 f7 d8 64 89 01 48\nRSP: 002b:00007fa110183de8 EFLAGS: 00000202 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020000054 RCX: 00007fa10ff05a3d\nRDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 00007fa110183e20 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000202 R12: 00007fa110184640\nR13: 0000000000000000 R14: 00007fa10fe8b060 R15: 00007fff73e23b20\n\nThe issue triggering process is analyzed as follows:\nThread A Thread B\ntcp_v4_rcv//receive ack TCP packet inet_shutdown\ntcp_check_req tcp_disconnect //disconnect sock\n... tcp_set_state(sk, TCP_CLOSE)\ninet_csk_complete_hashdance ...\ninet_csk_reqsk_queue_add \n---truncated---

See more information about CVE-2024-26614 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 3.3 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector: Local network Attack Complexity: Low
Privileges Required: Low User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: Low

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (kernel)ELSA-2024-51012024-08-08
Oracle Linux version 9 (kernel)ELSA-2024-93152024-11-14


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete